Description: Some vulnerabilities have been reported in the Linux kernel. One has an unknown impact, and the others can be exploited to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. 1) An error exists in ROSE due to missing verification of the ndigis argument of new routes. 2) Any user with permissions to access a SCSI tape device can send some commands, which may cause it to become unusable for other users. 3) Some unspecified errors have been reported in the ISO9660 filesystem handler including Rock Ridge and Juliet extensions. These can be exploited via a specially crafted filesystem to cause a DoS or potentially corrupt memory leading to execution of arbitrary code. Solution: The vulnerabilities have been fixed in version 2.6.12-rc1. Original Advisory: Kernel.org: http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc1
ISO9660 vulnerabilities are now treated in bug 86784
Created attachment 56383 [details, diff] 2.6.11 Compound Patch
Created attachment 56384 [details, diff] 2.6.10 (and below) Compound Patch
mips-sources fixed.
2) Any user with permissions to access a SCSI tape device can send some commands, which may cause it to become unusable for other users. Alan Cox says the patch to solve this is totally wrong, and I'd agree with my basic knowledge of the SCSI command table. No proper fix is available (but I'm not even sure if one is needed...)
Obsoleting patches: Alan Cox says the upstream fix (which said patches contain) is wrong, so we're now waiting on upstream for the SCSI issue. For the ROSE issue please use: http://linux.bkbits.net:8080/linux-2.6/gnupatch@423114bcdthRtmtdS6MsZiBVvteGCg
ROSE Fixed in usermode-sources-2.6.11
Here's the new/approved scsi tape fix: http://dev.gentoo.org/~dsd/gentoo-sources/release-11.10/dist/1105_scsi_tape.patch
All fixed in gentoo-sources-2.6.11-r7
`Kumba: CCing you again as there's a new fixed bug for the SCSI issues, see http://dev.gentoo.org/~dsd/gentoo-sources/release-11.10/dist/1105_scsi_tape.patch
tseng,tocharian,kang,trulux: you guys need these updates for hardened-sources-2.6.x and rsbac-sources-2.6.x
Ok, so the new upstream SCSI fix is no good (again): http://marc.theaimsgroup.com/?l=linux-scsi&m=111497008818281&w=2 ... please apply only the ROSE fix for now.
Created attachment 57758 [details, diff] ROSE fixes with minor cleanup and SCSI tape fix removed. A new patchset has been uploaded to http://pearls.tuxedo-es.org/gentoo/hardened/kernel/hardened-patches-2.6-11.3.tar.bz2. Also, two ebuilds are provided: http://pearls.tuxedo-es.org/gentoo/hardened/kernel/hardened-sources-2.6.11-r1.ebuild (uses pearls.tuxedo-es.org as HGPV_SRC) and the one using tseng's space at dev.gentoo.org (default): http://pearls.tuxedo-es.org/gentoo/hardened/kernel/hardened-sources-2.6.11-r1.ebuild.tseng Cheers, Lorenzo.
Created attachment 57762 [details, diff] The correct patch for the ROSE driver fix (wtihout the rest of cleanups and not necessary changes) This the right patch. Thanks Tim for pointing out the right CSET.
New patchset with the correct patch uploaded to http://pearls.tuxedo-es.org/gentoo/hardened/kernel/hardened-patches-2.6-11.3.tar.bz2. Cheers, Lorenzo.
rsbac-sources fixed with latest patch as r-s-2.6.11-r3
Removing Lorenzo from cc per request via email.
All fixed, closing bug.